In a way this shouldn't surprise anyone. The weakest link in issuing SSL certificates has always been the question of how much checking the issuing CA does to make sure that the requester of the certificate has the right to ask for that certificate - I shouldn't be able to get a certificate for a domain if I'm pretending to be "Google Inc." (the real one doesn't have the dot). How hard do they check? How do we know that they haven't just been bribed to give it, or strong-armed by their government? How do we know that the person who got this certificate hasn't shopped around to find the CA that offers the least amount of checking? We don't, that's the problem.
But I disagree with Matt's assertion that this means we have to invent a new certificate signing and authentication technology in order to solve this. This is not a technological problem, it's a social one. We need to reduce the number of Certificate Authorities, ensure they verify everything to the same (high) standard as everyone else, and make the process open so that we can verify it. The issue of the Chinese CA in Firefox only highlights this issue. Coming up with a standard even more complex than X.509 is not the answer.